Postfix Spamassassin- FreeBSD

Share on:

Nowadays implementing Spam Prevention on a mail server is vital. Whilst Postfix has many directives that can be set, it is advisable to implement some type of filtering system to keep the spammers at bay. SpamAssassin uses a variety of spam-detection techniques, including DNS and fuzzy checksum techniques, Bayesian filtering, external programs, blacklists and online databases.

In this post I will use spamass-milter in association with SpamAssassin to provide "Before Queue" filtering. This post should be sufficient to get you up and running with a Spam Prevention implementation. Further reading of the Official SpamAssassin Documentation is strongly advised.

Installation

As ever, on FreeBSD, installing packages is a trivial endeavour.

1pkg install spamassassin spamass-milter

Then we need to configure /etc/rc.conf to allow these services to start.

vi /etc/rc.conf

1spamd_enable="YES"
2spamd_flags="-d -u spamd -H /var/spool/spamd"
3
4spamass_milter_enable="YES"
5spamass_milter_flags="-r 15 -f -u spamd -p /var/run/spamass-milter.sock"
6spamass_milter_socket_owner="spamd"
7spamass_milter_socket_group="mail"
8spamass_milter_socket_mode="660"

As you have most likely noticed, we have added several flags for Spamassassin and Spamass-Milter. This is more or less all the configuration that is needed for these services and I will explain these shortly when I talk about the operation of how Spamassassin and Spamass-Milter work together.

Futher we need to add some directives to Postfix. These are just settings for Spamass-Milter as Postfix will not ever talk with Spamassassin directly.

 1# tail /usr/local/etc/postfix/main.cf
 2
 3# --------------------------------
 4# SPAMASS-MILTER CONFIGURATION
 5# --------------------------------
 6#
 7smtpd_milters=unix:/var/run/spamass-milter.sock
 8milter_protocol = 6
 9milter_default_action = accept
10milter_connect_macros= i j {daemon_name} v {if_name} _

I will explain any directives later should they need more clarification.

Start the necessary services

We can now start this trio of services and Postfix will have Spam filtering enabled.

1# service postfix restart
2# service sa-spamd start
3# service spamass-milter start

Spam Assassin Operation

Now that we are protcected, I would like to talk about the operation of this combination of services.

In efffect, the service that does the filtering on mail is spamass-milter. Spam Assassin just tags whether or not an email is spam according to its rule sets.

The default setting for Spam Assassin to mark an email as spam is 5.0, and this can be found in the /usr/local/etc/mail/spamassassin/local.cf file:

1#   Set the threshold at which a message is considered spam (default: 5.0)
2#                                                                         
3# required_score 5.0                                                      

This mail will only be rejected if it is above the setting in the Spamass-Milter -r flag; (spamass_milter_flags="-r 15") set in /etc/rc.conf. In the default case 15. What Spamass-Milter will do is add headers to the email, that will mark it as spam. Any email with a Spam Assassin score higher than 15 will be marked similar, with headers as follows:

1X-Spam-Flag: YES                                                           
2X-Spam-Status: Yes, score=1001.3 required=5.0 tests=ALL_TRUSTED,           
3        DATE_IN_PAST_96_XX,GTUBE,HEADER_FROM_DIFFERENT_DOMAINS autolearn=no
4        autolearn_force=no version=3.4.4                                   
5X-Spam-Level: **************************************************           
6X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on                 
7        mail.example-1.net

Sending a spammy email

Let's send some filthy spam and check for ourselves. SpamAssassin makes an example spam mail message at sample-spam.txt.

This can be used in combination with "The Swiss Army Knife for SMTPS", ( swaks ). This can be installed from FreeBSD packages:

1# pkg install swaks

It is not possible to send the spam message directly from the mail server as it would be placed directly in the mail queue and bypass the Spamass-Milter, therefore, swaks is being used as the MUA. The test email can be sent as follows:

1# swaks --to pbd@example-1.net --server localhost --data ~/sample-spam.txt

Once we have sent and received this email, we can check the headers ourselves.

 1# head -n 30 /var/spool/imap/domain/example-1.net.cc/user/pbd/11.
 2...
 3...
 4...
 5From: Sender <sender@example.net>                                                    
 6To: Recipient <recipient@example.net>                                                
 7Precedence: junk                                                                     
 8MIME-Version: 1.0                                                                    
 9Content-Type: multipart/mixed; boundary="----------=_605DADDD.A4055DF9"              
10Content-Transfer-Encoding: 7bit                                                      
11X-Spam-Flag: YES                                                                     
12X-Spam-Status: Yes, score=1001.3 required=5.0 tests=ALL_TRUSTED,                     
13        DATE_IN_PAST_96_XX,GTUBE,HEADER_FROM_DIFFERENT_DOMAINS autolearn=no          
14        autolearn_force=no version=3.4.4                                             
15X-Spam-Level: **************************************************                     
16X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on                           
17        mail.example-1.net
18                                                                                     
19This is a multi-part message in MIME format.                                         
20                                                                                     
21------------=_605DADDD.A4055DF9                                                      
22Content-Type: text/plain; charset=iso-8859-1                                         

That is a brief introductuon on setting up SpamAssassin and showing how it works. It is no means an exhaustive explanation but like most of my posts, I hope they are helpful to get you up and running so you can explore further on your own systems.

One more thing...

To keep the Spam Assassin Rulesets up to date, Spam Assassin includes a program named sa-update. This needs to be regularily run so sa-update is a good candidate to be placed in a nightly cron job.